Document security and EHR

What does this mean and how can you invest in this technology and keep your files secure?

By Mary Ann Fitzhugh

One of the most common questions chiropractors and patients alike have about electronic health records (EHR) is how records stay “safe.”

The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in February of last year to address the issues of adoption and meaningful use of health information technology.

In particular, subsection D of this law relates to improved privacy and security provisions. In the government’s final meaningful use ruling, which was released in July, compliance with HIPAA privacy and security rules is required for all covered entities, regardless of whether or not they are compensated for EHR compliance through the federal incentive program.

In addition, compliance with the HIPAA Privacy and Security Rules constitutes a wide range of activities, procedures, and infrastructure.

Proven protection

The government’s objective is to protect all information created or maintained in any given EHR system through the implementation of appropriate technical features such as password-protection and audit trails.

Part of the complicated certification procedure for all EHR vendors is a security risk analysis and risk management process to confirm that unauthorized personnel cannot access, or edit, any patient’s medical records.

In general, most of these software platforms are highly secure, with key features such as password protection and audit trails to ensure day-to-day document security. Audit trails aren’t just for large networks with multiple offices offering patients a variety of healthcare services, but also for solo chiropractic clinicians who act as their own administrators.

For example: Morgan Baker, DC, says she appreciates how her system offers an edit log, which tracks not only when changes are made, via time stamp, but also a detailed trail that “keeps a log of my edits, so I can see what I’ve changed, and refer back to previous notes.”

Set parameters

In addition, a common feature allows systems administrators to set the parameters of which in-office personnel may view which parts of any given file, or specific files. All users are given different passwords, meaning each user can have access to distinct parts of the system.

For example: One employee may only be able access scheduling functionalities, while others can see clinical history. “Break glass” functionality alerts the systems administrator to any attempted unauthorized access to patient records.

Nothing lost

While EHR eliminates the days of paper files getting misplaced or lost within the office, it’s still possible for electronic files to be lost. Incidence of lost or deleted files is far more common than deliberate theft, but with equally distressful results to the patient.

It is extremely important not only to have restricted access to your server, but also to maintain a backup of all current files. HIPAA Security Regulations dictate specific details as to how the electronic information used by the healthcare industry should be stored, transferred, and used to ensure the privacy of individually identifiable data related to a patient’s healthcare.

Your backup is your first defense against the loss of patient data

Compliant safeguards

Compliance with HIPAA safeguards was previously mandated by law for HIPAA-covered entities, but soon will extend to business associates and contractors and subcontractors as well.

While HIPAA safeguards expand, the ultimate goal is not just to keep medical records safe, but also to be able to share information. Just as your ATM card allows you convenient access to your bank account from all over the world, ideally your health information will also find a similar path with the goal of better and more convenient healthcare.

As regulators work out how to juxtapose security and accessibility, requirements are bound to keep changing. This underscores the importance of finding an EHR provider that adapts and works with you. It should be the responsibility of the software provider to update to new regulations, not the burden of health providers to find ways to make the software comply with government regulations.

Ultimately, document security success is dependent on how stringently a chiropractic practice has integrated HIPAA compliance into its daily processes and protocols for data management, technical safeguards, and administrative management of patient health information, whether or not the records are online.

And then the key is finding an EHR system that knows the regulations and has them integrated into the software — allowing you to successfully face the future of healthcare IT.

Mary Ann Fitzhugh is the vice president of marketing for Compulink Business Systems Inc., an industry leader in fully customizable electronic health records (EHR) and practice management solutions. She can be reached at 800-456-4522.